Skip to content

Custom ZTKA Access

Important

This capability is currently available with self-hosted controller and in Preview Orgs for SaaS controller.


The RCTL utility provides the means to manage/automate the lifecycle of OPA Gatekeeper. The following operations can be performed on OPA Gatekeeper for projects within an organization.

Resource Create Get Apply Update Delete
Custom ZTKA rule YES YES YES YES YES
Custom ZTKA policy YES YES YES YES YES
Custom Role YES YES YES YES YES

ZTKA Custom Access implementation involves the following three steps:

  • Step 1 - Create Rules: ClusterRole or Role YAML definition files are provided as part of this step, applicability of the rule is determined based on project/cluster selection

  • Step 2 - Create Policies: Policies is a collection of one or more rules that is referenced as part of Custom Roles

  • Step 3 - Custom Roles: A Custom Role configuration includes selection of a base role along with the necessary overlay ZTKA Custom Access policies


Create Custom ZTKA rule

Run the below command to create a custom ZTKA rule using the spec yaml file.

./rctl apply -f rule_filename.yaml

An illustrative example of the spec YAML file (Artifact upload) is shown below:

apiVersion: system.k8smgmt.io/v3
kind: ZTKARule
metadata:
  name: rctl-rule-all1
spec:
  artifact:
    artifact:
      paths:
        - name: file://artifacts/ztkar.yaml
    options: {}
    type: Yaml
  clusterSelector:
    selectAll: true
  projectSelector:
    matchNames:
      - z-1
      - defaultproject
  version: v1

An illustrative example of the spec YAML file (Git Repo based) is shown below:

apiVersion: system.k8smgmt.io/v3
kind: ZTKARule
metadata:
  name: rctl-rule-all1
spec:
  artifact:
    artifact:
      paths:
        - name: path/to/ztkarule/file.yaml
      project: defaultproject #project in which repo is present
      repository: some-repo
      revision: master
    options: {}
    type: Yaml
  clusterSelector:
    selectAll: true
  projectSelector:
    matchNames:
      - z-1
      - defaultproject
  version: v1

Create Custom ZTKA policy

An illustrative example of the ZTKA Policy spec YAML file is as shown below:

apiVersion: system.k8smgmt.io/v3
kind: ZTKAPolicy
metadata:
  name: rctl-pol-all1
spec:
  version: v1
  ztkaRuleList:
    - name: rctl-rule-all1
      version: v1
    - name: rctl-rule-all2
      version: v2

Create Custom Role

An illustrative example of the Custom Role spec YAML file is as shown below:

apiVersion: system.k8smgmt.io/v3
kind: CustomRole
metadata:
  name: rctl-ctr-all1
spec:
  baseRole: ADMIN
  ztkaPolicyList:
    - name: rctl-pol1
      version: v1

List ZTKA Rules

Use this command to retrieve the list of ZTKA rules. An illustrative example is shown below where RCTL retrieves the list of ZTKA rules.

./rctl get ztkarule
+---------------------------+---------------------------+---------------+-------------------------------------------------------+------------------------+
| ZTKARULE NAME             | VERSION                   | ARTIFACT TYPE | ARTIFACT FILES                                        | REPOSITORY             |
+---------------------------+---------------------------+---------------+-------------------------------------------------------+------------------------+
| test-rctl-1              | v1                        | Yaml          | paths:{name:"file:///artifacts/ztkar_podreader.yaml"} |                        |
+---------------------------+---------------------------+---------------+-------------------------------------------------------+------------------------+
| test-rctl-2              | v1                        | Yaml          | paths:{name:"file://artifacts/ztkacr.yaml"}           |                        |
+---------------------------+---------------------------+---------------+-------------------------------------------------------+------------------------+

Get Specific ZTKA Rule

Below is an example to retrieve a specific ZTKA rule.

./rctl get ztkarule test-rule
+---------------+---------+---------------+----------------------------------------------------+------------+
| ZTKARULE NAME | VERSION | ARTIFACT TYPE | ARTIFACT FILES                                     | REPOSITORY |
+---------------+---------+---------------+----------------------------------------------------+------------+
| test-rule     | v1      | Yaml          | paths:{name:"file://nginx_ns_pod_read_write.yaml"} |            |
+---------------+---------+---------------+----------------------------------------------------+------------+

List ZTKA Policies

Use this command to retrieve the list of ZTKA policies. An illustrative example is shown below where RCTL retrieves the list of ZTKA policies.

./rctl get ztkapolicy
+--------------------+---------------------------+---------------------------+
| ZTKAPOLICY NAME    | VERSION                   | RULES                     |
+--------------------+---------------------------+---------------------------+
| test-rctl-1        | v1                        | test-rctl-1              |
|                    |                           | test-rctl-2              |
|                    |                           |                           |
+--------------------+---------------------------+---------------------------+
| test-secret-pod1   | v1                        | test-secret-cr1          |
|                    |                           | test-podreader1          |
|                    |                           |                           |
+--------------------+---------------------------+---------------------------+
| test-1             | ver1                      | test-rule1                |
|                    |                           |                           |
+--------------------+---------------------------+---------------------------+
| test-ztka-policy   | v1                        | test-swagger             |
|                    |                           | test-rctl-2              |
+--------------------+---------------------------+---------------------------+

Get Specific ZTKA Policy

Below is an example to retrieve a specific ZTKA policy.

./rctl get ztkapolicy test-policy
+-----------------+---------+-----------+
| ZTKAPOLICY NAME | VERSION | RULES     |
+-----------------+---------+-----------+
| test-policy     | v1      | test-rule |
|                 |         |           |
+-----------------+---------+-----------+

List Custom Roles

Use this command to retrieve the list of Custom Roles.

./rctl get customroles
+-------------------------+-----------------+--------------------+
| CUSTOM ROLE             | ABAC POLICY     | ZTKA POLICY        |
+-------------------------+-----------------+--------------------+
| test-role1              | test-policy1    |                    |
|                         |                 |                    |
+-------------------------+-----------------+--------------------+
| test-eks-role           | test-eks-policy |                    |
|                         |                 |                    |
+-------------------------+-----------------+--------------------+
| test-role               | test-policy     |                    |
|                         |                 |                    |
+-------------------------+-----------------+--------------------+

Get Specific Custom Role

Below is an example to retrieve a specific Custom Role.

./rctl get customrole test-role
+-------------+-------------+-------------+
| CUSTOM ROLE | ABAC POLICY | ZTKA POLICY |
+-------------+-------------+-------------+
| test-role   |             | test-policy |
|             |             |             |
+-------------+-------------+-------------+

Delete Commands

You can use the below commands to delete ZTKA rules, ZTKA policies and Custom Roles.

ZTKA Rules

./rctl delete zr <rule-name>

OR

./rctl delete zr -f <rule_file.yaml>

ZTKA Policies

./rctl delete zp <policy-name>

OR

./rctl delete zr -f <policy_file.yaml>

Custom Roles

./rctl delete ctr <custom-role-name>

OR

./rctl delete ctr -f <custom_role_file.yaml>